1

NHS Halton CCG

Staff Handbook

2015

2

Company Confidentiality

This document is proprietary to NHS Halton CCG and is intended for their exclusive use. Under no circumstances should this document be given to any unauthorised individual, supplier or company, nor should any duplicates be made without express permission of NHS Halton CCG.

Document Control

Reference Number: CS01

Document Title: Staff Handbook 2015

Version Number: 1

Date of Publication: June 2015 – Updated November 2015

Author: Helen Brislen / Faye Gilston

Filename: Staff Handbook 2015

Number of Pages: 47

Document Version Control

Version / Status

Release Description

Date of Issue

V1.0 Final 1st Finalised Version – Updated November 2015 June 2015

Document Distribution Control

Recipient Name

Versions

1.0

All staff x

3

Contents

Introduction 5

Incoming and outgoing post 5

Email Best practice model 5

Tea & Coffee Rota/Fund 6

Birthdays 6

Team Meetings & Events 7

Statutory & mandatory training 7

Travel & subsistence claims 8

Video & telephone conferencing 8

Desk Space & Hot Desking 9

St Helens & Knowsley Health Informatics service 9

OOH Support for Remote Working 10

Printers and printing services 11

Job Storage Function 12

Shared Printing Services/ External Printing Services 12

NHS Halton CCG Shared Network drive 12

Halton Hub 13

Office & Building Access 13

Accident & Incident Reporting 13

Dangerous Occurrences 14

Fire & bomb alert evacuation procedures 14

Fire Marshalls and Personal Evacuation Officers 15

First Aiders 16

Personal Development Reviews (PDR’s) 16

Sickness Absence 17

Annual Leave 18

Staff & Pay Services 18

Payroll Cut Off Dates 19

Introduction to Freedom of Information 20

4

CSU Internal Management System/Reporting to CCG/ICO 21

Information Governance 22

Ebrief Articles & Appendices

Ebrief: Information Governance Compliance 23

Caldicott Reports 1997 & 2013 24

Personal Confidential Data 25

Ebrief: Information Governance Policies 25

Ebrief: Information Governance Training 26

Questions & Answers 27

Ebrief: Information Governance Incident Feedback Lessons Learnt 28

Ebrief: Role of Caldicott Guardian & SIRO 29

Ebrief: Information Governance Incidents 30

Ebrief: Privacy Impact Assessment & Information Sharing Protocol 32

Ebrief: Data Flow Mapping & Info Asset Register 33

Ebrief: NHS Number 34

Ebrief: Smartcards 36

Ebrief: Fair Processing Notice 38

Ebrief: Fax Safe Haven 40

Ebrief: Emails & FOIA 41

Ebrief: NHSmail 42

Ebrief: Spot Checks 44

Areas of Risk & General Recommendations 45

Ebrief: Confidential Waste 46

Ebrief: ID Badges 47

Ebrief: Redacting personal data - a risky business 48

Ebrief: Corporate Records Retention 51 Ebrief: Subject Access Requests (SARs) 53

5

Introduction The aim of this document is to provide staff with a reference guide to key information, to ensure the NHS Halton CCG office runs smoothly and effectively. Incoming and outgoing post It is the responsibility off each member of staff to ensure their outgoing post is in a clearly addressed envelope and placed in the black post tray beneath the staff noticeboard. All post should be marked ‘1’ or ‘2’ (for 1st/2nd Class) and ‘CCG@ in bottom left of each envelope. Any post not marked otherwise will be sent by 2nd Class. A member of the admin team will collect all post from the tray by 3.45pm daily and take it to the postal area on the ground floor for franking. All incoming post will be collected each morning, opened, sorted and date stamped by a member of the Admin Team, and will then be passed to the relevant recipient, or redirected as appropriate in their absence. Email Charter All members of staff should try to follow the email charters 9 rules for more efficient email use where possible. All members of staff should try to follow the best practice model for sending and receiving emails where possible, as follows: Email Best practice model All members of staff should try to follow the best practice model for sending and receiving emails where possible. Sending WHY

Can I speak to the relevant people face to face? Or on the telephone?

What outcome do I want from the email?

Is the email and subject line action-focused?

Subject – For Info / Response required / Action required

Are the necessary timescales included? WHAT

Is attachment necessary? Can I save in shared folder?

Is email short, concise, and action-focused?

Can this info be shared on Board / Hub? WHO

Is the email being sent to the most appropriate individual(s)?

To – individuals to take action

CC – Copied for info

6

BC – only with good reason

What actions do I want the recipient to take? Receiving

2 MINUTE RULE – DO IT o If it takes less than two minutes DO IT!!

DELEGATE IT o Clarify roles, responsibilities and deadlines o Reviews necessary?

DIARISE IT o Set yourself reminders where there are deadlines o Schedule time to deal with emails

DELETE IT o Delete unwanted / unnecessary emails o Archive regularly.

Tea and Coffee Rota / Fund NHS Halton CCG operates a tea and coffee rota for staff working at Runcorn Town Hall. Staff that want to participate in the tea and coffee rota should report to the Corporate Services Business Manager. On average it will cost participants £1 per week depending on the numbers of days they work at the Town Hall. Money that is collected will be used to buy milk, tea, coffee and sugar when supplies are low. The tea and coffee rota shows the dates that each participant has been allocated to pick up supplies, using money from the tea and coffee fund. If a participant uses their own money to buy the supplies they can be reimbursed or use the money as their contribution towards the tea and coffee fund. This rota is kept with a member of the Admin team. The tea and coffee fund is also used to buy birthday cards and cakes. When the tea and coffee fund is running low; the Corporate Services Business Manager should contact all outstanding participants by email to request more funds. Birthdays The birthdays of all NHS Halton CCG staff at Runcorn Town Hall are recorded in the diaries and a copy of the birthday list is displayed on the staff noticeboard.

7

A birthday card and cake is bought for each person using money from the tea and coffee fund. Staff that do not normally contribute towards the tea and coffee fund should make a small contribution. This can be handed to the Corporate Services Business Manager, or a member of the Admin Team. It is the responsibility of each member of staff and their line manager to pick up a card and cake for their birthdays. If a member of staff notices that a birthday is coming up they should inform the appropriate person. The birthday card should be sent round the office for each member of staff to sign. The birthday card and cake should be presented by the line manager on their birthday or another member of staff in their absence. Team meetings & events There are a number of internal and external NHS Halton CCG meetings and events, in addition to the committees, that some members of staff are required to attend as part of their role. The Internal and external meeting schedule lists each meeting, the members who attend and the assigned lead and co-ordinators. Staff should make every effort to attend all meetings of relevance to their role. It is the individual’s responsibility to liaise with the appropriate colleagues to receive verbal updates for any meetings that cannot be attended. Meeting rooms at Runcorn Town Hall can be booked by a member of the CCG admin team; all requests should include the title of the meeting/event, date, start and finish time, number of expected attendees and if any equipment, wifi or catering is needed. Any cancellations should be flagged with a member of the admin team as soon as possible to allow the room to be freed up for someone else. External meeting requests should be dealt with in the dame way via a member of the admin team; but also include identified venue and room layout. Statutory & mandatory training NHS Halton CCG are legally required to provide statutory training as defined in law or where a statutory body has instructed organisations to provide training on the basis of legislation. Mandatory Training requirements are determined by NHS Halton CCG, concerned with minimising risk, providing assurance against policies and ensuring NHS Halton CCG meets external standards. All NHS Halton CCG payroll staff and Governing Body members are required to complete statutory/mandatory training. Training is normally delivered via e-learning modules and occasionally in a face to face setting when required. Staff can access e-learning either in the workplace or remotely from home via the Learning Pool System, using their log in details provided by the CSU Learning & Development Department. All mandatory training modules should be visible when logged into the system. For any queries relating to the Learning Pool System contact CMCSU.LearningAndDevelopment@nhs.net, Tel. 0151 296 7077.

8

Once a module has been completed via e-learning, staff should receive an electronic pass certificate and the system should automatically update their results. It is the responsibility of each member of staff and their line managers to ensure that they have completed the required training modules within the set timescales. Completed training compliance is reported quarterly as part of the HR Performance Report presented to the HR & OD Committee. Travel & subsistence claims Travel and subsistence can be claimed by members of staff who incur costs for travel in relation to their job role. NHS Employers have agreed nationally with Staff Side Representatives new mileage claim allowances that apply to all members of staff claiming. To claim for travel and subsistence, staff should complete a travel and subsistence claims form and pass it to their line manager to agree and sign off. Please note these will not be processed without first completing a T1 Business Travel Application Form, below. If staff are claiming for train fares or parking tickets, they should attach the original receipts or tickets to the form. In the event that a ticket is misplaced, staff can arrange for their line manager to write a separate note to authorise payment. Travel and subsistence can be claimed monthly and backdated by up to 3 months. Providing it is received by the monthly mileage claim deadlines, it will be processed for payment the same month. Claims should be addressed to the payroll department and placed in the out-post tray beneath the staff noticeboard or passed to a member of the admin team to post. To set up travel and subsistence claims for a new starter, they should complete a: T1 business Travel application form and send it to the payroll department If a member of staff changes their car, they should complete a: T2 Business Travel Change of Car Form and send it to the payroll department If a member of staff changes their home address, they must complete an ESR02 Personal details Change Form, and email it to CMCSU.hr@nhs.net. Video & telephone conferencing Video conferencing calls can be set up in Simon Banks office, by following these video conferencing instructions. It is the responsibility of each member of staff to set up their own video conferencing call. For queries relating to video conferencing, contact ithelpdesk@sthk.nhs.uk or call 0151 676 5678.

9

It is the responsibility of each member of staff to set up their own telephone conferencing call. Telephone conference calls can be set up on all CISCO phones by following the CISCO teleconferencing user guide. NHS Halton CCG uses POW WOW NOW to host telephone conference calls; details can be obtained from the admin team. Audio conferencing can be set up in Simon Banks office, by following the FLX VoIP audio conferencing user guide. This can also be dialled internally as it is on the same system as the Cisco phones above. For queries relating to telephone conferencing contact ithelpdesk@sthk.nhs.uk or call 0151 6765 678. Desk space & hot desks On starting with NHS Halton CCG a desk/hot desk space will be identified and relevant IT equipment ordered e.g. laptop/PC. Runcorn Town Hall is working towards a paperless and hot desk policy. It is the responsibility of each member of staff to ensure they keep their desk tidy and paperless where possible, so colleagues who need to hot desk can use the space in their absence. Staff calendars should be kept up to date, clearly identifying when a desk is free to be used for hot desking purposes. Pedestal drawers and/or lockable cupboards should be used to file paper documents and folders away where possible. There are a number of NWCSU hot desks at Runcorn Town Hall which are used by NWCSU staff working with NHS Halton CCG. These desks can be identified on the office seating plan and are pre-booked by NWCSU using their own online system that is independent of NHS Halton CCG. Any issues regarding hot desking and/or storage should be reported to the Corporate Services Business Manager as soon as possible. St Helens & Knowsley Health Informatics service It is the responsibility of each individual to report a fault with their IT equipment by contacting the IT.Helpdesk@sthk.nhs.uk or calling 0151 6765678. If the individual is unable to contact IT, they should inform the Corporate Services Business Manager who will report the problem on their behalf. STHK HIS provides a Task Force Engineer (TFE) that visits Runcorn Town Hall every Friday between the hours of 10am – 1pm. The familiarity and regularity of these visits enables a strong and trusted relationship to form between NHS Halton CCG and the TFE resulting in a very positive response to this service. The TFE service provides both a proactive and reactive service to practices. This is summarised below. The TFE is also fully equipped at each visit to provide a ‘hot swop’ of core equipment e.g. PCs, printers, printer trays etc. to enable continuity and avoid disruption for customers. This service means that individuals who find it difficult to describe their issues over the phone can demonstrate the issue to someone at their desks.

10

Typical examples of work carried out include:

Anti-virus logging

PC performance Printer operation IT housekeeping

Kit refresh and disposal

Cabling - Specification and patching

Reactive resolution of problems and service requests which cannot be dealt with remotely

Advice and training, if appropriate

Hardware replacement via ‘Hot swap’ of faulty or failing equipment

First call intervention with 3rd Party suppliers

Internal kit relocation

Office relocations Out of Hours support for remote working The assigned TFE for NHS Halton CCG is Stephen Devine, Email: Stephen.Devine@sthk.nhs.uk, Tel: 0151 4301 172, Mobile: 07789778289. It is the responsibility of each member of staff to report any IT issues with Stephen Devine during his visit or report to the Corporate Services Business Manager to feedback issues on their behalf. The IT help desk is open 24 hours a day, 7 days a week. For assistance with IT issues contact: IT.Helpdesk@sthk.nhs.uk, http://shkwebapps/itrequestform/ or Tel: 0151 676 5678. Call reference numbers will be given once a job is logged with the IT help desk. It is the responsibility of each member of staff to retain their reference number, when calling the help desk to chase a call. The Helpdesk endeavours to resolve incidents within:

Notes: * = Business hours or 3 working days ** = Business hours or 5 working days

Category Resolution

Urgent 4 hours

High 8 hours

Medium 24 hours*

Low 40 hours**

11

When an individual calls with what could be a major incident, he or she will be informed that it is being classed a major incident and it will be escalated. The Incident will be transferred to the Helpdesk Coordinator, or if not available to the IT Operations Manager, or if not available then an Informatics Manager. When Identifying a Major Incident, there are no hard and fast rules for this but a major incident will be one which either:

Affects a large number of users Mail server is down etc.

Has implications for patient safety Any clinical system is off, GP surgery

system.

Has implications for critical business processes

Phone system down to a site.

Printers and printing services There are two large multi-function printers that are used by NHS Halton CCG at Runcorn Town Hall. These are models CM4370 (CCG1) and CM6030 (CCG2). Both printers have functions for printing and job storage, scanning, faxing and photo-copying. Printer CM6030 also has a function for A3 printing and copying. It is the responsibility of each member of staff to inform the admin team, when an ink cartridge or drum kit is running low, needs replacing or has been replaced. Both printers will flash up with an alert message to notify you of the product that needs replacing. It is the responsibility of each member of staff to ensure they collect their printing from the printer as soon as it is ready. The same applies when copying and scanning documents; members of staff must ensure they remove all paper from the printer when they have finished. If the printer is jammed with paper; the printers will flash an alert message to notify you of where the jam is located. It is the responsibility of each member of staff to ensure that they remove the jam if it occurs whilst they are using the printer, or ask another member of the team to assist, should it be difficult to remove. It is the responsibility of each member of staff to report a technical fault with the printers to the Corporate Services Business Manager or a member of the admin team in their absence. To report a technical fault, email IT.Helpdesk@sthk.nhs.uk or call 0151 6765 678. One box of A4 paper is provided by Halton Borough Council on a weekly basis and stored next to CCG2 printer and 1 pack of A3 paper is stored in the stationery cupboard next to the 1st bank of desks. It is the responsibility of each member of staff to inform a member of the admin team when A4 or A3 paper runs out. Extra reams of A4 and A3 paper should be collected by a member of the admin team from the Runcorn Town Hall Admin Team on the ground floor, as soon as it is required.

12

Job Storage Function Both printers have a function for storing printing jobs. This function helps to minimise the waste of paper that is printed unnecessarily, prolongs the life of the cartridges and reduces the long term costs. Job storage can be set up on each individuals PC by following the job storage instructions. Any queries relating to the setup of job storage should be raised with the Corporate Services Business Manager Shared Printing Services Should both printers be out of order at the same time, all members of staff can use the Halton Borough Council multi-function printers located on each floor of Runcorn Town Hall. The machines can only be used for printing, as a Halton Borough Council log in is required to scan and photocopy. Any queries relating to access of the Halton Borough Council multi-function printers, contact Jonathan.Greenough@halton.gov.uk, Tel: 0151 511 7002. External Printing Service In the event of no access to a printer in Runcorn Town Hall, or when a member of the team requires a large printing job for an event or meeting, Halton Print can provide an off-site printing service at a negotiated cost. Website: http://www.haltonprint.co.uk/index.html, Tel: 01928 560 269 or Email: info@haltonprint.co.uk for a quote. NHS Halton CCG shared network drive The Corporate Services Business Manager is responsible for the management and coordination of the NHS Halton CCG shared folder. It is the responsibility of each member of staff to review their folders on a regular basis to ensure they keep up to date with maintenance to ensure ease of access to documents. It is the responsibly of each member of staff to ensure they do not save their working documents on their desktops; these should be filed in the appropriate place on the shared folder. The same instruction applies for saving work to personal folders on the H drive; all copies should be transferred to the appropriate place on the shared folder so that other members of staff can access them in their absence. For any queries relating to the maintenance of the shared folder contact: hilary.southern@haltonccg.nhs.uk or Tel: 01928 593467. For IT queries relating to the shared folder contact the IT Helpdesk: Tel: 0151 676 5678, Email: IT.Helpdesk@sthk.nhs.uk, webform: http://shkwebapps/itrequestform/

13

Halton Hub The Halton Hub is an intranet site that provides a central hub for staff to store and share CCG business. The hub is used for storing final versions of corporate documents and policies, CCG meeting schedules, contact lists, news and announcements alerts and FAQs. All members of NHS Halton CCG including Governing Body members and Practice Staff can access the hub via https://www.haltonhub.com with an individual username and password sent by Daniel Spooner, Halton Hub Developer. Staff who have not yet received their log in details should email daniel.spooner@halton.gov.uk, stating their full name, job title, email address and base of work. A confirmation email will be sent to the recipient with their log in details to access the hub. Each member of staff will be granted an appropriate level of access to the Hub when they are given their log in details. There are 4 levels in total; each with a set of hub permissions for accessing various functions, depending on the level. It is the responsibility of each user to ensure documents they upload are the final versions and replace them when an update has been made. Staff should only upload PDF documents to the hub unless it is a form that needs filling in. To report a technical fault, or issue with accessing the hub, contact daniel.spooner@halton.gov.uk, Halton Hub Developer. An email will be sent back to confirm when the fault has been resolved. In the absence of Daniel Spooner, contact Jenny Myhall, Senior Business Analyst Tel: 0151 5117 075, email: Jenny.Myall@halton.gov.uk. Office & building access The NHS Halton CCG office business hours run from 8.30am – 5.00pm, Monday to Friday. The office and phones are covered by staff at all times during these hours. In the event that all members of staff are out of the office at the same time; desk phones must be transferred to mobiles where possible. Alternatively desk phones must be transferred to another desk phone with a voicemail function. The reception at Runcorn Town Hall is open to visitors and the public between the hours of 8.30am and 5.30pm. Staff with door passes can access the staff side entrance between 7am and 7pm Monday to Friday. Staff with 24/7 door passes can access the staff side entrance at all time. Gates to the back car parks will be locked after 6.30pm. The main car park remains open at all times. Accident & incident reporting To report an accident or incident, all members of staff must inform their line manager as soon as possible. In the absence of their line manager they must inform another appropriate member of staff.

14

All accidents, incidents and near misses, however small, must be recorded on the NHS Halton CCG Incident report via the link below; https://nww.datix.cheshiremerseysidecsu.nhs.uk/datix/datixnew/index.php?form_id=6&module=IN C. It is extremely important that incident forms are completed as soon as practicable after the event. The incident form will be reviewed and any necessary investigations will be completed by a competent person. If NHS Halton CCG staff are involved in an accident or incident on Halton Borough Council premises they must also complete an electronic web based incident form by contacting Lynn Pennington-Ramsden on 0151 511 8563. These incidents will be investigated jointly by Lynn Pennington–Ramsden, the lead for Halton Borough Council and Andy Collins the Health and Safety Lead for NHS Halton CCG. NHS Halton CCG must notify Andy Collins and send a written report using an F2508 form (which can be found at \\G\hccg_groups\HaltonCCG\Admin\Office Protocols\F2508 Dangerous Occurrence Form.mht) within 15 days of the event. These are:

Death at work

A specified injury at work

A person who was injured at work but at the time of their death they were either at home or in hospital A dangerous occurrence If an employee cannot return to normal duties as a result of an injury at work for more than seven days in a row (including weekends), NHS Halton CCG will send a report to Andy Collins within 15 days of the event. If an employee suffers from an occupational disease, it must be reported immediately to the relevant authority on form F2508A (which can be found at \\G\hccg_groups\HaltonCCG\Admin\Office Protocols\F2508A -occupational disease.mht). The disease must only be reported if the Health and Safety Lead has received a written statement of diagnosis of the employee from a doctor. Line Managers must take the appropriate steps to ensure that:

The incident is investigated as soon as possible

The results of that investigation are recorded on the incident investigation form

Measures are put into place to prevent the incident happening again If there is no line manager in the office at the time of the incident, the employee involved in the incident must report on the Incident Form and to management as soon as possible. A work colleague can do this for them if the injured person is unable to do this. Full details of accident and incident reporting can be found in the Health & Safety Policy. Fire & bomb alert evacuation procedures Halton Borough Council hold a set of evacuation procedures for staff working at Runcorn Town Hall. These must be adhered to by all members of staff in the event of a fire or bomb threat. In the event of a fire or bomb threat the alarm will ring on all floors of Runcorn Town Hall to alert staff.

15

Fire/Bomb Marshalls On the 1st Floor of Runcorn Town Hall there are 4 Fire/Bomb Marshalls and 1 Lead Fire/Bomb Marshall as shown in the evacuation team chart on page 11 of the evacuation procedure. The Fire/bomb Marshalls for NHS Halton CCG are Faye Gilston and Natalie Vinton and the Deputy Marshall is Paula Dickinson. It is the responsibility of the Fire/Bomb Marshall present in the office at the time of the fire alarm to ensure their designated area is evacuated, including quickly scanning all store rooms, meeting rooms and toilets on the 1st floor to ensure that nobody has stayed behind. Once all members of staff have evacuated the building, they must proceed to the designated assembly point on the main car park marked section 1. It is the responsibility of the fire/bomb marshall to report to the lead fire/bomb marshall of the 1st floor Sue Ellis on the progress of evacuation, including the number and location of people with physical disabilities who have been escorted to a refuge point and require assistant with evacuation. It is the responsibility of the fire/bomb marshall to maintain an evacuation list for their designated area for the roll call on the main car park and to keep the list up to date to reflect staff changes. Members of the public will be unaware of the emergency evacuation procedures and exit routes. All staff should do their best to ensure that members of the public are safely escorted off the premises to the Assembly Points. Do not attempt to re-enter Runcorn Town Hall until the Officer in Charge (OiC) Sue Wallace- Bonner gives the go ahead. Personal Evacuation Officers On the 1st floor of Runcorn Town Hall there are 5 personal evacuation officers as shown in the evacuation team chart on page 11 of the evacuation procedure. The personal evacuation officers for NHS Halton CCG are Des Chow, Julie Holmes, Emma Alcock, Jenny Owen and Mike Shaw. It is the responsibility of the personal evacuation officers to assist disabled personal on the 1st floor to evacuate the building or to move to a designated safe place in accordance with personal evacuation plans. The designated safe places are on the landing at either end of the main staircases behind the fire doors. It is the responsibility of the personal evacuation officer to notify the Officer in Charge (OiC), Sue Wallace-Bonner on an on-going basis when a personal evacuation plan has been created. Personal Evacuation Plans should be completed for all disabled employees by their manager and these will identify the safest means of escape. The Principal Health and Safety Advisor and Cheshire Fire Service will also assist in compiling personal evacuation plans if required. Refuge areas are located on the landings of the 1st floor staircases for disabled employees who are unable to evacuate via the stairs. The personal evacuation officer, where possible, should assist and support the disabled person whilst the Officer in Charge (OiC) Sue Wallace Bonner is responsible for notifying the emergency services of their location.

16

First Aiders On the 1st floor of Runcorn Town Hall there are 2 Halton Borough Council first aiders Alison Culley and Michelle Jevans. There are currently no NHS Halton CCG first aiders. First aiders must evacuate the building in the normal manner and if possible, take the first aid box with them, and make themselves available in the designated assembly points if first aid is needed. Bomb Threat In the event of a bomb threat, the Officer in Charge (OiC) Sue Wallace-Bonner will become the Bomb Threat Coordinator (BTC) and will be notified of the call. The BTC will decide whether or not to raise an alert. The BTC will notify the major incident phone line. The BTC and Lead Fire Bomb Marshalls will meet on the 2nd floor outside Paul McWade’s office. A decision will be made by the BTC to activate the bomb alert whilst consideration is given to full evacuation – consultation with police. Reception staff will manually activate the bomb threat alarm. The alarm will sound 3 times and is repeated 3 times again after ten seconds (keys for alarm behind reception). All members of staff must immediately leave the office area and congregate in the allocated safe area next to the toilets. A decision will be made by the BTC whether to evacuate the building and nominate a suitable assembly area and route. The assembly areas with safe evacuation routes will either be: Rock Park or Grangeway Community Centre. The Lead Fire/Bomb Marshall must return to the safe area and inform staff of the need to evacuate and the evacuation route and assembly area (if applicable). Members of the public will be unaware of the emergency evacuation procedures and exit routes. All staff should do their best to ensure that members of the public are safely escorted off the premises to the safe assembly points. It is the responsibility of the fire/bomb marshall to maintain an evacuation list for the roll call on the safe assembly area and to keep the list up to date to reflect staff changes. Do not attempt to re-enter Runcorn Town Hall until the BTC gives the go ahead. Guidance for staff in the event of a bomb threat is in the bomb alert guidance. Personal Development Reviews (PDR’s) You will be given regular opportunities to review and discuss your objectives with your Manager. This will form part of the Personal Development Review Process. In these sessions you should be able to openly discuss any area of your work. You will be expected to attend mandatory training sessions on Information Governance, Health and Safety, Manual handling, Equality and Diversity. You are also expected to keep yourself up to date with relevant legislation and changes in in local and national policy and processes.

17

Every opportunity is taken by the Organisation for the training and development of their staff, details of which can be obtained from your line manager. The latest PDR documentation can be found on the Halton Hub accessed here. Sickness Absence If you need to report in sick you should notify your line manager before your work day commences on the first day of absence.

All staff are required to report the following details:

Person calling in to report sickness / absence

Date and time telephone call

Reason for absence

When do they hope to return? Please note all members of staff should ring in each morning and follow the same process until they return to work; unless they have a sick note from their GP that specifies a return date, or if they have confirmed when they will return to work during the initial call. Sick pay is accrued as below;

o During 1st year of service: One months’ full pay and two months’ half pay

o During 2nd year of service: Two months’ full pay and two months’ half pay

o During 3rd year of service: Four months’ full pay and four months’ half pay

o During 4th and 5th years of service: Five months’ full pay and five months’ half pay

o After 5th year of service: Six months’ full pay and six months’ half pay The full policy is available on the Halton Hub accessed here For absences 3-7 days in length, the staff member should complete a self-certified absence form and pass to their line manager on their return. For absences over 7 days a doctor’s note is required. If you know you will be absent for a period of more than 7 days please make sure your manager receives your medical certificates regularly. On your return back to work you will be asked to meet with your Manager for a return to work interview which can be found on the Halton Hub accessed here. Complete return to work interview documents should be passed to Hilary Southern Corporate Services Business Manager.

18

Annual Leave When starting part way through a year, annual leave will be calculated pro rata. The Leave year runs from 1st April to 31st March. Your annual leave entitlement is worked out as follows; Length of service Annual leave + Bank Holidays For 2015 entitlements will be made up as follows;

Standard Entitlement Bank Holiday Entitlement

On appointment 202.5 hours 75 hours

After 5 years’ service 217.5 hours 75 hours

After 10 years’ service 247.5 hours 75 hours

Annual Leave applications need to be submitted via email to your line Manger via email, once confirmed the Line manager should copy in emma.munro@haltonccg.nhs.uk with approval, who will then update the shared staff availability planner. Annual leave is to be approved dependent on business need. Other conditions such as training commitments will be taken in to account when annual leave is granted. The Annual Leave policy can be accessed on the Halton Hub here. Annual leave entitlements can be worked out using the annual leave calculator which can be accessed on the Halton Hub accessed here. Staff & Pay Services If you have any questions regarding your pay slip our payroll services are provided by St Helens & Knowsley NHS Hospitals Trust. For any queries relating to payroll and NHS Pensions contact Colette.Banks@sthk.nhs.uk, Tel. 0151 430 1113 For any queries relating to HR (Recruitment, ESR etc) contact CMCSU.hr@nhs.net, Tel. 0151 296 7317 Payroll cut of dates for 2015 can be found on the following page:

19

Payroll cut of dates for 2015

Month

Back Dated Forms Arrears Can Only Be Paid Of They Are Received

2 Days

Before:

Forms Need To Be In

Finance By No Later Than:

Forms MUST Be In HR By 5pm On:

Final HR Close (5pm)

(Inc Final New

Starters)

Final Payroll Close (4pm)

Pay Day

Action Hr P&Ss P&Ss Hr P&Ss

2015 April

Wed 15th

Weds 15th

Thur 16th

Mon 20th

Tues 21st

Tues 28th

May

Thur 14th

Thur14th

Fri 15th

Tues 19th

Wed 20th

Thur 28th

June

Mon 15th

Mon 15th

Tues 16th

Thur 18th

Fri 19th

Fri 26th

July

Wed 15th

Weds 15th

Thur 16th

Mon 20th

Tues 21st

Tues 28th

August

Mon 17th

Mon 17th

Tues 18th

Thur 20th

Fri 21st

Fri 28th

September

Tues 15th

Tues 15th

Weds 16th

Fri 18th

Mon 21st

Mon 28th

October

Thur 15th

Thurs 15th

Fri 16th

Tues 20th

Wed 21st

Wed 28th

November

Mon 16th

Mon 16th

Tues 17th

Thur 19th

Fri 20th

Fri 27th

December

Thur 3rd

Tues 8th

Weds 9th

Fri 11th

Mon 14th

Mon 21st

2016

January

Tues 12th

Tues 12th

Weds 13th

Fri 15th

Mon 18th

Mon 25th

February

Mon 15th

Mon 15th

Tues 16th

Thur 18th

Fri 19th

Fri 26th

March

Fri 11th

Fri 11th

Mon 14th

Wed 16th

Thur 17th

Thur 24th

20

Introduction to Freedom of Information Under statutory legislation NHS commissioners have a requirement to respond to Freedom of Information (FOI) requests within 20 working days. These requests can be received from individual members of the public, members of the press, charity organisations, other NHS organisations, members of Staff, MP’s or other companies/organisations requesting information relevant to a specific CCG. They are currently dealt with by the Patient Experience & Governance Compliance Team within NHS North West Commissioning Support Unit (NWCSU) on behalf of NHS Halton Clinical Commissioning Group. Background The government first published proposals for freedom of information in 1997. In the white paper ‘Your Right to Know’, the government explained that the aim was a more open government based on mutual trust. The Freedom of Information Act 2000 provides public access to information held by public authorities. It does this in two ways: Public authorities are obliged to publish certain information about their activities; and members of the public are entitled to request information from public authorities. The Act covers any recorded information that is held by a public authority in England, Wales and Northern Ireland, and by UK-wide public authorities based in Scotland. Information held by Scottish public authorities is covered by Scotland’s own Freedom of Information (Scotland) Act 2002. Public authorities include government departments, local authorities, the NHS, state schools and police forces. However, the Act does not necessarily cover every organisation that receives public money. For example, it does not cover some charities that receive grants and certain private sector organisations that perform public functions. Recorded information includes printed documents, computer files, letters, emails, photographs, and sound or video recordings. The Act does not give people access to their own personal data (information about themselves) such as their health records or credit reference file. If a member of the public wants to see information that a public authority holds about them, they should make a subject access request under the Data Protection Act 1998. Process Emailed FOI request received in the relevant CCG inbox from requester. FOI request acknowledged with the requester within 2 working days by NWCSU and logged onto the internal management system. Request is then fielded out to the relevant person/department either within NWCSU or within the CCG for a response. If the CCG holds the information requested, then the FOI will be fielded to Hilary Southern, who will then field it to the most appropriate staff member to be dealt with. The person who receives the request has a responsibility to respond to the NWCSU within 10 working days to allow for the approval process to take place.

21

The CCG in conjunction with the NWCSU has a legal responsibility to respond to the requester within 20 working days. If the response is expected to take longer than the 20 working days, an extension cannot be requested but the requester must be notified in advance of the delay. Once the response has been approved at CCG level it will be sent to the requester by email the same day. Further information on the Freedom of Information Act 2000, and guidance in applying the Act can be found on the ICO website, accessed here. CSU Internal management system The NWCSU record all requests on to a system called Datix. The system is updated with the details on acknowledgement, fielding, chasing responses and any other relevant information. Copies of all documents/emails are attached electronically to each FOI request within the system. A report is produced at the end of each day and is monitored by the team leader with team input and reported to the Centre Manager on a daily basis. Reporting to CCG A weekly RAG report is created and sent to the CCG. This contains details on the current status of FOI’s received for the CCG. A monthly SLA report is produced which is also shared with the CCG and contains the Key Performance Indicators (KPI’s) for the NWCSU. The KPI for FOI’s is 95% of information requests responded to meeting lawful regulatory compliance (currently 20 working days). Information Commissioner’s Office (ICO) If we do not comply with the statutory 20 working day deadline to respond to FOI’s then there is the possibility of the requester making a formal complaint to the ICO. Should this happen then an investigation will be carried out and a report produced and published on the ICO website stating whether the complaint was upheld. In the last month, the ICO received 80 complaints. Out of these complaints, 54 were not upheld, 5 were partly upheld and 29 were upheld. For more information on ICO decision notices, please go to the ICO website: http://search.ico.org.uk/ico/search/decisionnotice One recent complaint the ICO dealt with was regarding NHS Hillingdon CCG, and the link to the decision notice is below: https://ico.org.uk/media/action-weve-taken/decision-notices/2014/1042656/fs_50538363.pdf It also shows how even a small breach can result in a complaint and investigation. Larger complaints can result in fines to the responsible organisation.

22

Further information If you would like further information or have any specific queries on the FOI Act or the process, please do not hesitate to contact either Louise Booker, FOI Team Leader on l.booker@nhs.net or Helen Jones, Locality Lead on Helen.Jones52@nhs.net. Further information on the Freedom of Information Act 2000, and guidance in applying the Act can also be found on the ICO website, accessed here. Information Governance The information contained in this version of the staff handbook is applicable to all CCG staff. This information is not intended to replace the annual statutory and mandatory training instead its aim is to provide additional supporting information to support your working practice. If you require any further information or advice your key contacts within the CCG are listed below; Suzanne Crutchley Senior Governance Manager (Information Governance) Cheshire and Merseyside Commissioning Support Unit Tel: 01244 650 551 suzanne.crutchley@cmcsu.nhs.uk Angela Delea Head of Corporate Services NHS Halton CCG Tel: 01928 593794 angela.delea@haltonccg.nhs.uk Hilary Southern Corporate Services Business Manager NHS Halton CCG Tel: 01928 593 467 hilary.southern@haltonccg.nhs.uk Further information on ‘Information governance’ and looking after information can be found at the HSCIC website.

23

E-Brief article: Information Governance Compliance – Staff Code of Conduct What is Information Governance? Information Governance is a framework concerning the way that information about patients and employees is handled. It is particularly concerned with personal and sensitive information, but it also incorporates corporate confidential information about the NHS organisation – i.e. your CCG. Further information on ‘Information governance’ and looking after information can be found at the HSCIC website.

“What you see here, What you hear here, When you leave here, Let it stay here.”

Data Protection Act 1998 The Act was passed ‘to protect the rights of the individual whom information is obtained, shared, processed or supplied’. It includes all information and data which can identify a person, held in any format:

Information and data is safeguarded by the Data Protection Act, which is underpinned by eight principles: The 8 Data Protection Principles 1. Processed fairly and lawfully. 2. Processed for specified purposes. 3. Adequate, relevant and not excessive. 4. Accurate and kept up to date. 5. Not kept for longer than necessary. 6. Processed in accordance with the rights of data subjects. 7. Protected by appropriate security (practical and organisational). 8. Not transferred outside the EEA without adequate protection. *Remember, when leaving your desk, lock or log off your computer. The quickest way to lock your computer is by using the following keys:

Windows key + the letter L

visual verbal paper computer Filmed/recorded

imaging photograph etc

24

Caldicott Reports 1997 and 2013 The first report was produced for the Department of Health by a committee, chaired by Dame Fiona Caldicott. The Caldicott committee made 16 recommendations aimed at improving the way that the NHS handles and protects patient information. The second report, Information: To share or not to share? The Information Governance Review (March 2013) contains 26 recommendations and a revision of the previous Caldicott Principles. It is available at: https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/192572/2900774_In foGovernance_accv2.pdf As with the Data Protection Principles, the Caldicott Principles outline best practice in patient Information Management. Confidentiality is part of your day to day activity and must be rigorously observed, no matter what your role or where you happen to be. Q. Do you know who your Caldicott Guardian is? A. The Caldicott Guardian for NHS Halton CCG is Jan Snoddon, Chief Nurse

The Deputy Caldicott Guardian for NHS Halton CCG is Cliff Richards, Chair The revised 7 Caldicott Principles 1. Justify the purpose(s) 2. Don’t use personal confidential data unless it is absolutely necessary 3. Use the minimum necessary personal confidential data 4. Access to personal confidential data should be on a strict need-to-know basis 5. Everyone with access to personal confidential data should be aware of their responsibilities 6. Comply with the law 7. The duty to share information can be as important as the duty to protect patient confidentiality.

Think about your responsibilities with Caldicott Remember - information must be: • H eld securely and confidentially. • O btained fairly and efficiently. • R ecorded accurately and reliably. • U sed effectively and ethically. • S hared appropriately and lawfully.

25

Personal Confidential Data (PCD) Remember, this includes all information and data which can identify a person, held in any format. NHS Codes of Practice There are three Codes of Practice that cover:

Those who work within the NHS

Those under contract to the NHS

Security Management: NHS Code of Practice (April 2007)

Click below to access copies:

NHS Codes of Practice and legal obligations E-Brief article: Information Governance Policies The following Information Governance policies are available by clicking here

Information Governance Strategy

Information Governance Policy

Freedom of Information Act Policy (this includes Environmental Information Regulations)

Confidentiality and Data Protection Policy (this includes staff guidance)

Subject Access Requests Policy.

Corporate Records Retention Policy (this includes Information Lifecycle) The associated IT Service policies include:

Network Security Policy

Remote Access Policy

Internet & Email Usage Policy

26

E-Brief article: Information Governance Training

Mandatory Information Governance Training to be completed every 12 months

through the CMCSU Learning Pool Academy Mandatory Information Governance Course There are a variety of courses available on the CMCSU Learning Pool Academy, many of which will also count towards completion of your Statutory and Mandatory Training. All staff are required to complete the mandatory course module:

Introduction to Information Governance (during first week of employment) and then a refresher module once a year thereafter:

Information Governance Refresher What is Information Governance? Information Governance is a framework concerning the way that information about patients, employees and contractors is handled. It is particularly concerned with personal and sensitive information, but it also incorporates corporate confidential information about the NHS organisation. Further information on ‘Information governance’ and looking after information can be found at the HSCIC website.

27

Questions and Answers 1. Why do I have to complete an e-learning module?

It is a Department of Health requirement that all staff complete the “Introduction to Information Governance” e-learning module within their first week of employment (and the Refresher every year thereafter). The module has been designed to be user friendly and promote consistency and good practice across the NHS.

2. What does the module cover?

The “Introduction to Information Governance” module covers Data Protection, confidentiality, Freedom of Information, good record keeping and information security.

3. When do I have to complete it by and how long will it take?

For all staff, the training must be completed once a year. It should take around one hour and there is a short assessment at the end. The module will automatically bookmark if you do not get a chance to finish it in one go.

Information Governance E-Learning E-learning is now being increasingly used in the NHS as an alternative to classroom based training. Getting Started on IGTT Staff should access the IG Training via the Learning Pool link below; https://academy.cheshiremerseysidecsu.nhs.uk/ The courses that you are required to complete are:

Introduction to Information Governance (once)

Information Governance: The Refresher Module (annually)

Avoiding Information Governances Breaches (once) Your compliance will be available to your line manager for review. There is also an additional module “Avoiding Information Governance Breaches”, which is a mandatory requirement for all staff to complete. Additional training can be accessed through the HSCIC: https://www.igtt.hscic.gov.uk/igte/index.cfm?communityid=2

28

E-Brief article: Information Governance Incident Feedback lessons learnt The following Information Governance incidents have been reported within Cheshire and Merseyside NHS organisations. The lessons learnt to feedback to all staff are listed alongside them.

Summary of Incident Lessons Learnt

Email received which contained patient names and NHS number against list of drugs prescribed by the Hospital.

The recipient had no need to receive patient details; they only needed the numbers of patients.

Only share the minimum data necessary for the purpose(s).

Email containing patient names was sent to CCG, but not on @nhs.net.

Patient data must always be sent from and to NHS net accounts i.e. @nhs.net to/from @nhs.net.

Patient data must be encrypted, to protect it when it is being sent by email.

A response to a request was sent by email to the wrong applicant by mistake.

Staff must double check that the correct information is sent to the correct person.

Complaint letter sent by email to the wrong CCG by mistake.

Staff must double check that the correct correspondence is sent to the correct recipient.

Patient ID information emailed from non @nhs.net address.

Patient data must always be sent from and to NHS net accounts i.e. @nhs.net to/from @nhs.net.

Patient data must be encrypted to protect it when it is being sent by email.

Reporting Arrangements Remember, all incidents or information indicating a suspected or actual data security breach should initially be reported to the immediate line manager and then reported via Datix using the following link on the CCG intranet: https://nww.datix.cheshiremerseysidecsu.nhs.uk/datix/datixnew/index.php?form_id=6&module=IN C

29

E-Brief article: Role of Caldicott Guardian and SIRO The roles of the Caldicott Guardian and the Senior Information Risk Owner The above roles are a statutory requirement for all NHS bodies. Locally:

Jan Snoddon, Chief Nurse has responsibility as Caldicott Guardian

Cliff Richards, Chair is Deputy Caldicott Guardian

Paul Brickwood, Director of Finance responsibility as Senior Information Risk Owner (SIRO)

Angela Delea, Head of Corporate Services is Deputy Senior Information Risk Officer (SIRO) In summary, these roles include the following responsibilities:

The Caldicott Guardian The Senior Information Risk Owner

Is advisory

Is the conscience of the organisation

Provides a focal point for patient confidentiality and information sharing issues

Is concerned with the management of patient information

Is accountable

Fosters a culture for protecting and using data

Provides a focal point for managing information risks and incidents

Is concerned with the management of all information assets

For example, the Caldicott Guardian will oversee and approve Information Sharing Protocols. For serious information governance breaches the Senior Information Risk Owner will approve closure on reported information governance incidents, and will oversee and review Information Risk Assessments.

30

E-Brief article: Information Governance Incidents Reporting Information Governance Incidents Staff should report any incidents or concerns about any aspect of confidentiality and security, whether a breach has taken place or a ‘near miss’ has occurred. Near misses are indicators of potential problems, so should also be reported. Security Incidents Affecting Confidentiality There are several ways in which patient, members of the public, staff or contract workers confidentiality may be breached. All breaches should be reported and investigated accordingly. A confidentiality incident is defined as any event that has resulted or could result in:

the disclosure of confidential information to any unauthorised individual

the integrity of the manual system or data being put at risk

the availability of the manual system or information being put at risk An adverse impact can be defined for example as:

threat to personal safety or privacy

legal obligation or penalty

financial loss

disruption of CCG business

an embarrassment to the CCG Types of Security Incidents The types of non-computer security incidents likely to affect confidentiality are variable. Data security incidents may take many forms including the following:

Theft of equipment holding confidential information – laptop computers, iPads, BlackBerrys, mobile-phones, etc.

Unauthorised access to a building or areas containing unsecured confidential information.

Access to patient data by an authorised user who has no work requirement to access the data.

Authorised access which is misused (staff).

Misuse of equipment such as faxes, text messages on mobiles and ansaphones.

31

Inadequate disposal of confidential material (paper, files etc).

Car theft / break-ins to staff carrying confidential records

Unauthorised access to data away from premises (e.g. when travelling between meetings, etc).

Careless talk (e.g. in the corridor or car park) Reporting Arrangements All incidents or information indicating a suspected or actual data security / confidentiality breach should initially be reported to the immediate line manager and then reported via Datix using the following link on the CCG intranet. The CCG Locality Lead for the Customer Solution Centre can help you with this. https://nww.datix.cheshiremerseysidecsu.nhs.uk/datix/datixnew/index.php?form_id=6&module=IN C If an actual serious data security / confidentiality breach has occurred, the incident should be reported immediately to an appropriate CCG Senior Manager, who will consider if it is necessary to inform the Senior Information Risk Owner and/or the Caldicott Guardian. It may also be necessary to report the incident to others depending on the type and likely consequences of the incident, e.g. the Police, local Counter Fraud specialists, or the Information Commissioner.

32

E-Brief article: Privacy Impact Assessments and Information Sharing Protocols "Privacy matters more than ever before, especially as so much of our personal information is now collected and shared.” There has been significant media interest over the last few years, of missing data and breaches of confidentiality. News stories appear almost every week. One measure that the CCG has introduced to help to prevent this from happening is to mandate that a Privacy Impact Assessment (PIA) for all new work which involves person identifiable data (PID) is completed. A PIA is also needed for all major changes to existing procedures which use personal data e.g. moving from paper to electronic systems. This will give the CCG Governing Body assurance that every aspect of data protection has been considered and managed, before work begins. Privacy Impact Assessment is a process which enables organisations to anticipate and address the likely impacts of new initiatives, foresee problems, and negotiate solutions. Risks can be managed through the gathering and sharing of information with stakeholders. Systems can be designed to avoid unnecessary privacy intrusion, and features can be built in from the outset to reduce this. The Privacy Impact Assessment aims to assist the CCG when proposing change to investigate whether the personal information aspects of the project / work comply with the statutory data protection principles in the Data Protection Act 1998. Without completing a PIA, you may be prevented or delayed in starting your work. A template Privacy Impact Assessment can be found here, Annex 2 is the section to complete. Click here for guidance on completing a PIA. Information Sharing Protocols On completion of the PIA, this will indicate if an Information Sharing Protocol (ISP) is needed or not. An ISP is generally needed when person identifiable data (PID) is being shared with non- NHS organisations, and/or when PID is being held on a hosted website outside of the NHS. A template ISA can be found here – please note it is made up of three documents (Tiers), with tier 2 being the actual template for completion.

33

E-Brief article: Data Flow Mapping and Information Asset Register The Data Flow Mapping exercise set out by David Nicholson back in March 2008 needs to be repeated. This exercise needs to be completed on an annual basis. The Spreadsheet should capture all key data flows. Where Departments have repeated data flows, inbound or outbound, between the same organisations, only one entry needs to be captured to cover them. A return will be required from each Department within the CCG. It is also a requirement of the statutory Information Governance Toolkit:

All transfers of hardcopy and digital personal and sensitive information have been identified, mapped and risk assessed; technical and organisational measures adequately secure these transfers.

Full details of Requirement 350 are set out on the Information Governance Toolkit website at: https://www.igt.hscic.gov.uk/RequirementQuestionNew.aspx?tk=423324576423471&lnv=2&cb=fedc70f9-c4b3-40c4-a829-07a96b27a3b4&sViewOrgType=24&reqid=2754 This work sits alongside the Information Asset Register (IAR) held by the CCG. It is likely that the same staff who complete IAR return will be the same staff who will also now need to complete the Data Flow Mapping exercise.

34

E-Brief article: NHS Number A Mini Guide to the NHS Number By taking up the NHS Number as the national identifier for patients, organisations will significantly improve safety by ensuring that patients are correctly identified. All healthcare organisations must make sure that they have the necessary measures in place for safe, secure transfer of clinical information. Who has an NHS number? Everyone in England and Wales has been given a NHS number. New numbers are issued by the NHS Central Register which holds demographic information on all persons who are registered with a General Practitioner in England and Wales. Using the NHS number to link data The NHS number provides the means to use computer data more effectively to combine data from different sources through automated matching of records. The requirements to do this are extensive and range from linking data about a single patient, such as when sending pathology requests or results, to matching multiple records by combining two patient registers so that the patient data is consistent between the two. Using the NHS number as the main currency of communication The NHS number should replace local identifiers such as hospital numbers in all communications between organisations about patients. This will enable everyone to communicate across the country using a common currency and avoid reliance on a local number which prevents efficient linkage of data once the patient is treated outside of a limited geographic area. For the number to become the common currency it needs to be displayed on all patient based correspondence and communications within the NHS. Safeguarding the security and confidentiality of patient data In exchanging information one of the most significant risks to confidentiality is when the information contains patient-identifiable data, typically:

name

address and postcode

date of birth

gender The robustness and reliability of the NHS number which in itself does not include any patient identifiable data, allows it to be used as the key patient identifier to counter security risks. Everyone working for the NHS has a legal duty to keep information about patients confidential and to only use or pass on information about a patient if there is a genuine need to do so to support the patient’s interest. Whenever possible, details which identify a person should be removed.

35

The security of the NHS number The NHS number is the most secure patient identifier available. You cannot ascertain anything about an individual through their number alone because the number is randomly generated. Even when it is the main currency of communication about patients throughout the NHS it is unlikely that staff will associate a number with an individual in the same way that they would a name. Are there circumstances when the NHS number should not be used? Where steps are taken to aggregate or anonymise information to safeguard confidentiality (e.g. removing name and address) the NHS number should also be removed if staff do not need to know the identity of the individual(s) concerned. Further information on ‘Information governance’ and looking after confidential/personal identifiable information can be found at the HSCIC website.

36

E-Brief article: Smartcards A Mini Overview of Smartcards The NHS Care Records Service (NCRS) and related National Programme for Information Technology (NPfIT) services are accessed using an NCRS Smartcard. A Smartcard is a ‘chip and pin’ device used as a means of securely identifying a user. For healthcare professionals to be issued with a Smartcard they must be registered through the Registration Authority. Full details can be found using the following links:

http://systems.hscic.gov.uk/rasmartcards/cis

http://systems.hscic.gov.uk/rasmartcards/planning/raoverview/index_html User Identity Manager and Integrated Identity Management User Identity Manager (UIM) is new registration software to manage NCRS access control and facilitate the Interface to the Electronic Staff Record (ESR). Position Based Access Control (PBAC) PBAC is the set of Access Positions that exist within User Identity Manager (UIM) which can be applied to a user’s Smartcard profile. Each Access Position is made up of a set of access codes which are taken from the National PBAC Database. The PBAC is agreed locally to reflect what is required for staff groups accessing data via Smartcard within an organisation. The Registration Authority Manager is responsible for maintaining and updating the Access Positions on UIM to meet the needs of Smartcard users. Smartcard Misuse and Incident Reporting All Smartcard users are responsible for the safety, security and use of their own Smartcard as per the terms and conditions set out in the RA01 form. In particular Smartcard users must:

Never share their Smartcard passcode

Never allow another user to use their Smartcard

Never leave their Smartcard unattended unless it is stored securely

Only access patient information that they require to carry out their role Failure to comply with these terms and conditions will be treated as serious misconduct and dealt with through the HR disciplinary procedure. Any member of staff must report incidents where they feel there is a risk to patient health, confidentiality or their organisation’s reputation. Incidents should be reported to the Sponsor and Registration Authority Manager and the local incident reporting procedure must also be completed immediately.

37

Certificate Expiry and Renewal Smartcard certificates are valid for two years after which the Smartcard will need to be renewed. IT Service Desk All Registration Authority requests should be directed through IT Service Desk: Self Service; http://shkwebapps/itrequestform/ Tel: 0151 676 5678

38

E-Brief article: Fair Processing Notice

Fair Processing Notice: Your Information - What you need to know

What this Fair Processing Notice is about This notice tells you how the Clinical Commissioning Group (CCG) and the Cheshire and Merseyside Commissioning Support Unit (CSU) processes non clinical information about you, e.g. your name, address, date of birth, etc and reminds you of your rights under the Data Protection Act 1998. What do we use your Information for? We only use your information for lawful purposes in order for us to effectively administer the business of the CCG and the CSU. For example:

Pay and Pension

Work Management

Staff Training

Internal Telephone Directory

Administration of access to information systems

Emails Website & Intranet The CCG and/or the CSU may use, in current day to day business, your:

Name

Job title

Work Phone number

Work email address

Office base This may include minutes of meetings, reports, action plans, newsletter articles, etc which may be published on the website and/or the Intranet. The CCG and CSU have a duty to protect all their employees and if you have any concerns about where this information is published; or feel you will be put at risk by the disclosure of this information, please discuss this with your manager, or the CCG Senior Information Risk Owner (SIRO), or the CSU Information Governance Manager. How do I know my information will be kept Confidential and Secure? Everyone working for the NHS has a legal, ethical and contractual duty to keep information confidential - the obligation is not restricted to patient data. Information held about you, whether on paper or computerised is protected from unauthorised access.

39

Will you give my personal details to anyone? We will not routinely disclose any information about you without your express permission. Your information may be shared, in strict confidence, with other CCG/CSU departments where this is necessary to administer your employment. There may be circumstances where we are bound to share information about you owing to a legal obligation, e.g. tax returns. Whenever we can we will remove personal details which identify you. Anyone who receives information from us is also under a legal duty to keep it confidential. Can I see my Information? The Data Protection Act 1998 gives you the general right to apply to see or to be given a copy of personal data held about you. Maximum fees for access and providing copies are set down by law. For further information please contact the CSU Information Governance Manager. Complaints/Appeals In the event that you believe we have not complied with the Act, either in responding to a request, or in our general processing of your personal information, and if you have had no satisfaction from the CSU Information Governance Manager, you should contact the CCG Senior Information Risk Owner (SIRO). Of course you always have the right to complain to, appeal or raise your concerns with the Office of the Information Commissioner by writing to: Information Commissioner Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF You can call the ICO helpline on 0303 123 1113 or 01625 545745. It is open between 9am and 5pm, Monday to Friday. Or visit the ICO website at: https://ico.org.uk/ How do I know my information will be kept Confidential and Secure? Everyone working for the NHS has a legal, ethical and contractual duty to keep information would like more detailed information, contact the Office of the Information Commissioner (see details above). This notice is only concerned with non-clinical information relating to you, as an employee of the CCG/CSU. Should you wish to know more about any information that is held about you as a patient, please contact your local health care provider.

40

E-Brief article: Fax Safe Havens Facsimile Machines and ‘Safe Havens’ The term ‘Safe Haven’ is a term recognised throughout the NHS to describe the administrative arrangements to safeguard the confidential transfer of patient identifiable information and other sensitive information between organisations or sites. When information is disclosed through a designated safe-haven point to an equivalent point in another organisation, staff can be confident that agreed protocols will govern the use of the information from that point on. ‘Safe Haven’ facsimile machines should be sited in areas where the general public and, if possible, staff from other organisations do not have physical access. Also, local arrangements should be in place for the confidential handling of transmitted data / information, which may be received outside of normal working hours. Alternatively, newer facsimile machine models can be set to store information stopping the fax printing out, until a designated member of staff activates the machine by entering a secure PIN. The machine is set to store the information when no designated members of staff are physically in the immediate area of the machine. This way the facsimile machine is classified as ‘Safe Haven’. If you have reason to send and/or receive a fax which contains patient identifiable information and/or other sensitive information, please ensure that a ‘Safe Haven’ facsimile machine is used at both ends, whenever possible. All staff should familiarise themselves with the location and number of their nearest Safe Haven fax.

41

E-Brief article: E-mails and FOIA Your E-mails could be disclosed under the Freedom of Information Act 2000 The Freedom of Information Act confers two general rights on the public:

1. A right to be informed whether a public body holds certain information. 2. A right to obtain a copy of that information.

All staff are reminded that, under the terms of the Act, the e-mails that you send and receive are disclosable in law. You are therefore asked that particular care be taken if an e-mail is in connection with a patient or a member of the public, especially if this is in connection with a complaint, an appeal panel or litigation. These are just a few examples of the type of e-mails that are requested to be disclosed. E-mails that concern new services or significant changes to existing services are another typical example of the types of Freedom of Information requests that we receive. It is therefore advisable that personal opinions and throw away comments are avoided. If you receive a request (by e-mail, as a letter or fax) for information under the Freedom of Information Act, you must send it without delay to the CSU Customer Solution Centre, who process all FOI requests for the CCG.

42

E-Brief article: NHSmail - Safe, Secure and Encrypted E-mails Exchanging sensitive data the safe way Best practice when using your NHSmail account In this staff briefing we focus on the extremely important subject of making sure that you are handling sensitive data in the safest possible way when using NHSmail. The NHSmail team have provided detailed guidance on use of the encryption facility – please see links at the bottom of this article. All staff are reminded of the risks associated with sending, forwarding and receiving emails which contain sensitive and/or confidential information, which may be patient, carer, staff, contractor or business related. What do you send by e-mail?

In the subject line?

In the message?

As an attachment?

When you forward an email on The NHSmail service has been specifically designed with the needs of NHS staff in mind and apart from being able to access it from any computer or device, the top requirement is to enable staff to exchange sensitive, and confidential, data. The service is accredited to Government RESTRICTED status for this purpose, it is highly secure and has been endorsed by the British Medical Association, Royal College of Nursing and Chartered Society of Physiotherapy. However users must play their part in ensuring that they handle sensitive data correctly way when using NHSmail. Below are some points which are not so much tips, but musts, when using NHSmail. Ensure you understand which accounts are secure for exchanging information with NHSmail NHSmail (@nhs.net) to NHSmail is a secure route. NHSmail to nhs.uk email addresses is NOT a secure route and sensitive data is at risk if sent this way without additional protection. Other equivalent encrypted email accounts There are other statutory organisations which have equivalent encrypted email accounts which are interoperable with NHSmail accounts: NHSmail is part of the Government Secure Intranet, a secure network for public sector organisations which encompasses the police, local and central government and criminal justice services. These public sector workers have access to email addresses connected to the network which CAN be used to exchange information with NHSmail.

43

So if an email address ends in one of the following, you're safe to send sensitive data to it:

@gsi.gov.uk @gse.gov.uk @gsx.gov.uk @pnn.police.uk

@scn.gov.uk @cjsm.net @gcsx.gov.uk @mod.uk

For example @nhs.net to @gsi.gov.uk E-mail: safe, secure & encrypted

E-mails from and to @nhs.net accounts

E-mail: not safe, not secure

E-mails not using @nhs.net to @nhs.net e.g. name@nhs.net to name@cmcsu.nhs.uk

In the Subject field of the email, enter the word [ENCRYPT] before the subject of the message. The word ENCRYPT must be surrounded by the square brackets for the message to be encrypted. If square brackets aren’t used, the content of the email will be sent in plain text and may potentially be exposed to interception or amendment. The following guidance on use of the encryption facility has been issued by the NHSmail team and can be found here:-

http://systems.hscic.gov.uk/nhsmail/secure/senders.pdf

http://systems.hscic.gov.uk/nhsmail/secure/recipients.pdf

44

45

E-Brief article: Spot Checks Information Governance Spot Checks Overall compliance with Information Governance standards amongst staff is generally found to be very good. It is important that adequate safeguards are in place to keep personal and sensitive information that we hold secure. Without adequate safeguards in place, there is the potential for a data security breach to occur. From time to time, independent Information Governance ‘spot checks’ will be conducted at random across the CCG, without prior notice. Some areas of risk together with general recommendations for ‘best practice’ are set out in the table below. These aim to address general areas of Information Governance risk, and not specific to the CCG. In addition, Mersey Internal Audit Agency (MIAA) may also carry out spot checks. Further information on ‘Information governance’ can be found at the HSCIC website.

46

Areas of risk and general recommendations

RISK AREA RECOMMENDATIONS

CLEAR DESK PROCEDURE 1. Reminder to staff to lock away manual records containing patient data or other confidential information

2. Reminder to staff that confidential information should not be left unattended within reach or sight of the public or visitors

3. Consider fitting keypads on doors into sensitive areas where needed.

POST 1. Post held in post trays should be locked away at the end of the day if not being collected until the following day.

CONFIDENTIAL WASTE 1. Reminder to staff to place all confidential waste in the sacks/console units provided.

COMPUTERS 1. Staff to be reminded to lock or log off from their computer when they leave their desk for any length of time.

2. Computer screens to be angled to prevent being viewed by the public or visitors; alternatively, fit a privacy screen.

FACSIMILE MACHINE 1. Fax machines that receive confidential faxes should be programmed (sleep mode) to store faxes in its memory to prevent them being printed outside of office hours.

2. Frequently used numbers should be programmed into the memory dial facility in order to reduce the risk of misdialing.

OTHER ELECTRONIC MEDIA 1. Mobile devices should be locked away when not in use. 2. Where possible, photocopiers should not be sited in an area

where the general public or visitors have access.

LOCKING ROOMS AND STORAGE ARRANGEMENTS

1. Offices and rooms that contain confidential information should be locked when not in use.

2. Adequate lockable drawers/cabinets should be provided for staff to lock away confidential files/notes/documents, etc.

3. Drawers/cabinets that contain confidential information should be locked when not in use.

TRAINING AND POLICY ADMINISTRATION

1. Reminder to staff (and line managers) to ensure that their Information Governance training is kept up to date every year

COMPUTERS 1. Staff to be reminded to lock or log off from their computer when they leave their desk for any length of time. Windows key + the letter L

2. Computer screens to be angled to prevent being viewed by the public or visitors; alternatively, fit a privacy screen.

47

E-Brief article: Confidential Waste In this data-intensive age, the risk of confidential and sensitive information falling into the wrong hands remains a constant threat.

Information security matters now more than ever before. All staff are asked to ensure that:

Confidential waste is placed in the confidential waste bins provided, which must be located in a position out of direct view of the door/window; or

Confidential waste is shredded, using the shredding machines provided. Confidential waste bins Only papers and computer discs that contain confidential person identifiable information, or confidential corporate information, are to be placed in the waste bins. √ Ok to go in: √ patient data (e.g. name, address, date of birth, phone number, NHS Number, clinical information, etc); √ individual staff data (e.g. sickness records); √ any documents with ‘restricted access’; √ drafts of contentious documents; √ diaries which contain personal details; √ job application forms.

X Do not put in: anything already available to the public (e.g. on the website) such as minutes of meetings, policies, strategies, reports, action plans, or leaflets.

As the CCG have to pay for this type of waste to be shredded to confidentiality standard, please ensure that domestic waste is not put in to these sacks/console units. Only papers and discs that contain confidential person identifiable information, or confidential corporate information, are to be included. This would mean, for example, that if only a few pages of a paper document are confidential, then ONLY those pages are put in to these bins – the remainder of the document can go out as domestic waste in the black bags, or can be recycled.

48

E-Brief article: ID Badges Staff ID Badges All staff, at all levels, are required to wear their CCG ID Badge at all times during their working hours. In general, the I.D. badge serves as a function to identify the ID bearer as a person who is allowed to be in the building. The ID badge gives comfort to the people around him/her that they are legitimately there for a reason. In a working environment, staff should feel assured that the workplace is somewhere that they can trust the people that they work with. To establish that I.D. badges are truly essential in your daily working lives, here are some reasons why I.D. badges are advantageous:

Identification - The CCG should be able to distinguish the staff working in each department, across the sites, from visitors, guests and others

Security - Not only will staff feel safe, it will help the CCG to identify unauthorised personnel and even opportunist thieves

Corporate Identity - By making sure that each employee wears their I.D. badge, staff will feel a sense that they belong and are being taken care of

Integrity – With all staff wearing their I.D badge, the CCG is reflecting professionalism throughout the organisation

49

E-Brief article: Guidelines when Transferring Data by Post This guidance covers paper records, communications such as letters, together with the transfer of disks and tapes containing patient identifiable information. Paper records within the CCG Departments should ensure that records in transit within the CCG are protected from the following: Theft The records should not be left unattended in an open area. Casual access Again, the records should not be left unattended in an open area. Identifying details on the records should not be visible to the general public. Large quantities of records should be transferred in a covered container. Where a single set of records is being transferred, it should be placed in a sealed envelope. Damage due to accidents Records should be protected from damage by spillage, or impact by using a sealed container for large volumes of records and a sealed envelope for single sets of records. Loss Records need to be transported in a container or envelope to prevent individual sheets from falling out and becoming lost. Records in transit should be clearly labelled with the addressee on the outside of the container/envelope and the sender on the inside. Paper records being posted or transported outside of the CCG Wherever possible the records being transferred should be transported by internal post arrangements in place within the local health community. For instance hospital to/from general practice collections and general practice to/from the CCG. Patient identifiable information should always be transported in a sealed container, clearly addressed to the recipient. Where a patient is being transferred, their records should, if possible, be transferred via a member of staff travelling with the patient. Where records are required urgently, for example transfer between hospitals, the following arrangements should be made: Preferably a photocopy of the record or the relevant section only, should be sent rather than the original record. The courier or taxi service used should have a contract with the CCG, which includes agreed minimum standards relating to security. The records should be sealed in an envelope and the addressee clearly labelled on the outside. A compliment slip with the sender’s details should be contained in the envelope to allow safe return in the event of loss or damage to the package.

50

The records should be ‘traced out’ of the CCG and the courier or taxi firm should provide signed proof of delivery. The recipient should be a clearly identified individual not just a general department or ward. The receiving organisation must sign to acknowledge receipt of the notes, if delivered by a courier or taxi firm. Using the Royal Mail Using the Royal Mail is an acceptable means of communication where there are no alternatives. The following precautions should be taken: Clearly label the envelope to a named individual. Do not send post to a general department such as Medical Records. Where this information is not on the document sent, include a compliment slip indicating the sender in the event of damage to the envelope or package. • If using Royal Mail to send confidential documents, consider if the ‘Recorded Signed For’ service (previously ‘recorded delivery’) should be used. Sending large volumes of data through the mail Because some post contains information about groups of e.g. patients rather than individuals, this post should have extra protection in addition to the above precautions: Storage Disks For a disk, password protect all data files and use a padded envelope to protect the disk. Do not send the password with the disk but ask the recipient to contact you separately for the password. Use Royal Mail’s ‘Special Delivery Guaranteed’ service (send items by ‘next day delivery’ service rather than via the ordinary mail) to protect the data from being lost.

51

E-Brief article: Redacting personal data - a risky business Responding to subject access and freedom of information requests often requires the careful removal – or ‘redaction’ – of exempt information. However, as many organisations can corroborate, redacting information, if not done properly, can be a risky business. There have been many examples across the country of personal and confidential information being disclosed by mistake when it was thought that the data in question had been safely and irreversibly removed. While the use of black marker pens, correction fluids and photocopiers is not fool-proof, redaction errors most often occur when dealing with electronic data. Hidden data, pivot tables and meta-data can all contain sensitive information that is easy to overlook. However, the onus upon organisations to disclose data in usable electronic formats is continuing to increase. The Information Commissioner's Office (ICO) has recently published a guide on how to disclose information safely by removing personal data before it is published. The guidance is highly practical and includes real data files with examples of hidden data and technical guidance on how to remove it. The guidance is vital reading for anyone who is responsible for handling redaction and wants to know how to avoid common pitfalls identified by the ICO. The guidance is available online. Further Help with Freedom of Information For further information and help with the Freedom of Information Act 2000, please contact: Suzanne Crutchley Information Governance Manager NHS CWW Commissioning Support Unit Tel: 01244 650551 Fax: 01244 385151 suzanne.crutchley@nhs.net

52

E-Brief article: Corporate Records Retention The Corporate Records Management and Retention Policy for the CCG sets out the requirements of all staff when managing the retention of all types of records. The Policy incorporates the Records Management: NHS Codes of Practice. This is a guide to the required standards of practice in the management of records for those who work within or under contract to NHS organisations in England. They are based on legal requirements and professional best practice. The CCG Policy and NHS Code together will help to ensure that the CCG keeps the records it needs for business, regulatory, legal and accountability purposes. The Records Management: NHS Code of Practice is available at: https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/200138/Records_Management_-_NHS_Code_of_Practice_Part_1.pdf The Records Management: NHS Code of Practice Annex D2: Business and Corporate (Non-Health) Records Retention Schedule (pages 69 to 105) is available at: https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/200139/Records_Management_-_NHS_Code_of_Practice_Part_2_second_edition.pdf These retention schedule details a minimum retention period for each type of non-health record. Records may be retained for longer than the minimum period. However, records should not ordinarily be retained for more than 30 years. The following types of record are covered by the retention schedules (regardless of the media on which they are held, including paper, electronic, images and sound):

administrative records (including personnel, estates, financial and accounting

records, and notes associated with complaint handling)

photographs, slides and other images (non-clinical)

microform (i.e. microfiche/microfilm)

audio and video tapes, cassettes, CD-ROMs, etc

e-mails

computerised records; and

scanned documents The schedule is split into the following types of records:

Administrative (corporate and organisation)

Biomedical Engineering

Estates/engineering

53

Financial

IM & T

Other

Personnel/human resources

Purchasing/supplies Keeping unnecessary records wastes staff time, uses up valuable space and incurs unnecessary costs. The recommended retention periods shown on the Records Retention Schedule apply to the official or master copy of the records. Any duplicates or local copies made for working purposes should be kept for as short a period of time as possible. Duplication should be avoided unless absolutely necessary. It should be clear who is responsible for retaining the master version of a record and copies should be clearly marked as such to avoid confusion. Thank you for your help with this. Further Help For further information and help with Information Governance, please contact: Suzanne Crutchley LL.M Senior Governance Manager (Information Governance) North West Commissioning Support Unit 1829 Building, Countess of Chester Health Park Liverpool Road, Chester, CH2 1HJ Tel: 01244 650551 Email: suzanne.crutchley@nhs.net

54

E-Brief article: Subject Access Requests (SARs) We all have the right to make a request to information that is held about us. This right, commonly referred to as Subject Access Request (SAR), is created by section 7 of the Data Protection Act 1998. It is most often used by individuals who want to see a copy of the information an organisation holds about them. However, the right of access goes further than this, and an individual who makes a written request and pays a fee is entitled to be:

told whether any personal data is being processed; given a description of the personal data, the reasons it is being processed, and whether it will be given

to any other organisations or people; given a copy of the information comprising the data; and given details of the source of the data (where

this is available). This right of subject access means that you can make a request under the Data Protection Act 1998 to any organisation processing your personal data. The Act calls these organisations ‘Data Controllers’. Applicants can ask the organisation they think is holding, using or sharing their personal information, to supply copies of both paper and computer records and related information. Organisations may charge a fee of up to £50. However, it is important to remember that not all personal information is covered and there are ‘exemptions’ within the Act which may allow an organisation to refuse to comply with your subject access request in certain circumstances. Read more details about: Can I access personal information about my child? Can I access personal information on someone else’s behalf? Can I access information about the deceased under the Data Protection Act? How do I make a request? other SAR related guidance on the ICO website at: https://ico.org.uk/for-the-public/personal-information/ In more detail: What is an individual entitled to? What is a valid subject access request? Can I require individuals to use a form? Can I send out an old version of the data? Do I have to explain the content? Can I charge a fee? Can I ask for more information before responding? What about requests made on behalf of others? What about requests for information about children? What should I do if the data includes information about other people? What about data held by credit reference agencies? What if I use a data processor? What if it’s time consuming or expensive? What about repeat or unreasonable requests? Can I require an individual to make a subject access request?

55

What do I do if I receive a SAR? If you receive a request by e-mail for information under the Data Protection Act 1998, you must send it without delay to the CSU Customer Solution Centre, who manage all SAR requests for the CCG. If you receive a request by letter or fax for information, these should be scanned and emailed on. The SARs inbox address is: cmcsusars@nhs.net In most cases an organisation must respond to a subject access request promptly and in any event within 40 calendar days of receiving it. It is therefore essential that requests received directly by the CCG are emailed to the CSU without delay. Further Help For further information and help with Information Governance, please contact: Suzanne Crutchley LL.M Senior Governance Manager (Information Governance) North West Commissioning Support Unit (NWCSU) Phone: 01244 650551 Mobile: 07500 097350 Email: suzanne.crutchley@nhs.net 1829 Building, Countess of Chester Health Park, Liverpool Road, Chester CH2 1HJ www.northwestcsu.nhs.uk